What You Need to Know About GDPR

The concept of data protection has been around for many years, since the UK first implemented a Data Protection Act in 1984. The general data protection regulation is a piece of legislation drawn up by the European Commission to unify data protection within the EU and to govern the export of personal data beyond the EU’s boundaries.

GDPR is due to come into force across the EU in May 2018 following a two year transition period. Being a regulation rather than a directive, it doesn’t require enabling laws to be passed by member states.

Why Data Protection Matters

Businesses and public sector organizations are collecting more data about us than ever before. Our shopping and surfing habits are constantly analyzed in order to target us with appropriate advertising and offers. As the Internet of Things expands the amount of information collected will continue to grow.

With all this information about us being held on computer systems there are, naturally, concerns about how it’s used and how safely it is stored. Since much of the information is collected by multi-national enterprises there are worries about where it might end up too.

What Will GDPR Do?

Because data protection concerns stretch across national boundaries, the introduction of GDPR seeks not just to regulate data within the EU. It seeks to extend EU data protection law to any organization holding information on EU citizens, even if that organization is based outside the EU.

It sets out a number of principles which are broadly similar to those already enshrined in the UK’s Data Protection Act. These are aimed at ensuring that data is gathered for legitimate purposes, that only data needed for those purposes is held, that the data is fairly and lawfully processed, and that it isn’t held for longer than necessary.

In order to make it easier for overseas companies to comply with the principles, GDPR will also harmonize data protection requirements across the European Union. Penalties of up to four per cent of global turnover can be levied on businesses that fail to comply. Each EU member state will have to set up an Independent Supervisory Authority to investigate complaints and determine penalties. These will be overseen by a European Data Protection Board (EDPB).

Businesses will need to be able to demonstrate that they comply with the principles. To do this they’ll need to have documentation in place that shows how they’re processing data, they may also need to appoint a data protection officer.

GDPR gives individuals a number of rights too. These include rights of access to and rectification of data, a right to restrict processing and a right to data portability. It also imposes a “right to erasure” which allows for data subjects to request that data relating to them is erased on various grounds including withdrawal of consent and unlawful processing.

What It Means for Businesses

Under GDPR organizations will need to set a retention period for stored data and supply contact details for a data protection officer and data controller as appropriate. If these posts don’t already exist within the organization then it may be necessary to create them, though they needn’t be full time roles, they could be carried out as part of another job such as database administrator or IT security. In some circumstances, public authorities and organizations carrying out large scale monitoring of individuals, you must have a data protection officer to comply with GDPR.

GDPR also requires that privacy settings be set a high level by default and that data protection be built in to new business processes — so called “privacy by design” the Information Commissioner’s Office has guidance for this.

One of the most important implications for business is that consent needs to be obtained for collecting data and the purposed for which it’s used. Individuals have the right to withdraw their consent and data controllers need to be able to prove it’s been given. This will probably mean requiring users to complete a check box when installing software or signing up for a website.

When any new technology is introduced businesses will need to carry out a data protection impact assessment (DPIA). This should set out a description of the processing, an assessment of risk and set out the measures in place to mitigate this.

Similarly businesses need to be geared up to cope with the right to erasure. There are some circumstances in which businesses can refuse to comply with this, such as where data is held to meet a legal obligation. There are extra requirements if holding and processing data relating to children. These surround consent and whether it’s required from a parent or guardian for example.

Companies with fewer that 250 employees are required to maintain records of activities related to higher risk processing. This will include processing personal data that could result in a risk to the rights and freedoms of an individual, CCTV footage of public areas for example, or processing special categories of data, such as those relating to criminal convictions and offenses.

What Next?

If businesses are already complying with domestic data protection legislation, then it’s unlikely that the introduction of GDPR is going have a major impact on them. You do need to be aware of it though and it may be seen as a good opportunity to review not only procedures but also what data is being held, how it’s used and whether it’s really needed.

Whilst June 2016’s Brexit vote will undoubtedly have some impact on how all this works in the UK, the fact that GDPR applies to all companies holding data on EU citizens means that many UK businesses that trade with Europe will still need to comply with its rules even after we leave the EU. You can’t afford to ignore it.

More information and a series of downloadable data sheets can be found on the European Commission website. An overview for UK users can be found on the Information Commissioner’s Office site.

Related Articles

3 Comments

Have you ever considered about including a little
bit more than just your articles? I mean, what you say is important and everything.
However imagine if you added some great pictures or video clips to give
your posts more, “pop”! Your content is excellent but with pics and videos, this
site could certainly be one of the best in its field.
Fantastic blog!

This blog is great, they don’t need more pictures or videos. This site is about providing information that is useful for data protection. I actually like the fact that it is not littered with pictures and videos rather it is packed with good information.

I am curious to find out what blog system you are utilizing?
I’m having some small security issues with my latest site
and I would like to find something more safeguarded.
Do you have any solutions? sbobet

Search

Loading, Please Wait!

GDPR Associates - Our cookie policy

This web site complies with the UK Privacy and Electronic Communications Regulations and the UK DPA 2018 in its understanding of consent as it applies to the regulations. We only deploy by default essential cookies, we list and give you the user the option to opt into cookie deployment for other categories of cookies if you expand the 'Cookie settings' link. By clicking the 'Accept cookie settings' button you agree to the default privacy settings of only essential cookies, if you select do not deploy any cookies then none will be deployed. Your settings and options can only be remembered with the minimum essential cookies deployed.

This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Analytics'.

cookielawinfo-checkbox-marketing

This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Marketing'.

cookielawinfo-checkbox-necessary

This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Necessary'.

cookielawinfo-checkbox-performance

This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Performance'.

cookielawinfo-checkbox-preferences

This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Preferences'.

JSESSIONID

Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.

PHPSESSID

This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

viewed_cookie_policy

The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.

lidc

This cookie is set by LinkedIn and used for routing.

NID

This cookie is used to a profile based on user's interest and display personalized ads to the users.

VISITOR_INFO1_LIVE

This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location

pardot

The cookie is set when the visitor is logged in as a Pardot user.

_ga

This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors.

_gat

This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

_gid

This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.

__cfduid

The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Windows Azure Web Sites, by default, use an ARRAffinity cookie to ensure subsequent requests from a user are routed back to the web site instance that the user initially connected to. In other words, Windows Azure Web Sites assumes that a web site is not stateless

OptanonConsent

This cookie is set by the cookie compliance solution from OneTrust. It stores information about the categories of cookies the site uses and whether visitors have given or withdrawn consent for the use of each category. This enables site owners to prevent cookies in each category from being set in the users browser, when consent is not given. The cookie has a normal lifespan of one year, so that returning visitors to the site will have their preferences remembered. It contains no information that can identify the site visitor.

YSC

This cookies is set by Youtube and is used to track the views of embedded videos.